github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/google/compute/no_public_ingress.go (about)

     1  package compute
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckNoPublicIngress = rules.Register(
    13  	scan.Rule{
    14  		AVDID:      "AVD-GCP-0027",
    15  		Provider:   providers.GoogleProvider,
    16  		Service:    "compute",
    17  		ShortCode:  "no-public-ingress",
    18  		Summary:    "An inbound firewall rule allows traffic from /0.",
    19  		Impact:     "The port is exposed for ingress from the internet",
    20  		Resolution: "Set a more restrictive cidr range",
    21  		Explanation: `Network security rules should not use very broad subnets.
    22  
    23  Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.`,
    24  		Links: []string{
    25  			"https://cloud.google.com/vpc/docs/using-firewalls",
    26  		},
    27  		Terraform: &scan.EngineMetadata{
    28  			GoodExamples:        terraformNoPublicIngressGoodExamples,
    29  			BadExamples:         terraformNoPublicIngressBadExamples,
    30  			Links:               terraformNoPublicIngressLinks,
    31  			RemediationMarkdown: terraformNoPublicIngressRemediationMarkdown,
    32  		},
    33  		Severity: severity.Critical,
    34  	},
    35  	func(s *state.State) (results scan.Results) {
    36  		for _, network := range s.Google.Compute.Networks {
    37  			if network.Firewall == nil {
    38  				continue
    39  			}
    40  
    41  			if len(network.Firewall.SourceTags) > 0 && len(network.Firewall.TargetTags) > 0 {
    42  				continue
    43  			}
    44  
    45  			for _, rule := range network.Firewall.IngressRules {
    46  				if !rule.IsAllow.IsTrue() {
    47  					continue
    48  				}
    49  				if rule.Enforced.IsFalse() {
    50  					continue
    51  				}
    52  				for _, source := range rule.SourceRanges {
    53  					if cidr.IsPublic(source.Value()) && cidr.CountAddresses(source.Value()) > 1 {
    54  						results.Add(
    55  							"Firewall rule allows ingress traffic from multiple addresses on the public internet.",
    56  							source,
    57  						)
    58  					} else {
    59  						results.AddPassed(source)
    60  					}
    61  				}
    62  			}
    63  		}
    64  		return
    65  	},
    66  )